Overview

overview

10

Static

static

7f5efb9dbd...f7.exe

windows7-x64

10

7f5efb9dbd...f7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7f5efb9dbd99c1fca3ebe59c5c38aacb9721d757671aee350a0a2107c41a2df7

  • Size

    11.7MB

  • Sample

    221130-q15rwaeg73

  • MD5

    8bd3bff5e679f6b14e42d7b66aa8497f

  • SHA1

    76891d257c1a9ba36426b3e834b8eda6c5254ffc

  • SHA256

    7f5efb9dbd99c1fca3ebe59c5c38aacb9721d757671aee350a0a2107c41a2df7

  • SHA512

    05deb4c1c8fa09c07600dbb79b2ad35c1532f773b7ab28d18c833c8b63d7e076ce2e232bd13a2eb9abd1a2f3d1668d7802d0fa205f619222358d4368fb06a0df

  • SSDEEP

    384:rMgQoufci5qP6TseVkeHD9xu+FyVQVhwfPl5SCuZacZ/LsytKY1Q39cYAYAwj7aW:6ro

Score
10/10
asyncratquasarkatayumiskidyevasionratspywaretrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Katayumi

C2

normal-knife.auto.playit.gg:54950

normal-knife.auto.playit.gg:7707
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    ZxKKE4oK8.exe

  • install_folder

    %Temp%

aes.plain

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Skidy

C2

roasted-flag.auto.playit.gg:51952

Mutex

VNM_MUTEX_bsVy5mHRmaFZMQOLbI

Attributes
  • encryption_key

    ux20jjbixeS7PecgmZeq

  • install_name

    windows.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    windows

  • subdirectory

    $windows

Targets

    • Target

      7f5efb9dbd99c1fca3ebe59c5c38aacb9721d757671aee350a0a2107c41a2df7

    • Size

      11.7MB

    • MD5

      8bd3bff5e679f6b14e42d7b66aa8497f

    • SHA1

      76891d257c1a9ba36426b3e834b8eda6c5254ffc

    • SHA256

      7f5efb9dbd99c1fca3ebe59c5c38aacb9721d757671aee350a0a2107c41a2df7

    • SHA512

      05deb4c1c8fa09c07600dbb79b2ad35c1532f773b7ab28d18c833c8b63d7e076ce2e232bd13a2eb9abd1a2f3d1668d7802d0fa205f619222358d4368fb06a0df

    • SSDEEP

      384:rMgQoufci5qP6TseVkeHD9xu+FyVQVhwfPl5SCuZacZ/LsytKY1Q39cYAYAwj7aW:6ro

    Score
    10/10
    asyncratkatayumievasionrattrojanquasarskidyspyware

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Turns off Windows Defender SpyNet reporting

      evasion

    • Windows security bypass

      evasiontrojan

    • Async RAT payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks